How to Setup Kiosk Auto-Logon with Microsoft Entra ID Account

Overview

Microsoft allows Intune administrators to provision devices for use without the requirement to type in a username or password. This allows users to walk to a device and start using it without the need for a corporate account or an Intune license.

Microsoft explain the use of kiosk mode devices in their documentation.

In this article we will go over how to setup a single app kiosk mode device with an Microsoft Entra ID auto logon account. By default, this setup doesn't accommodate auto logon with an Microsoft Entra ID account, a manual registry changes will be required for this to work.

Please note the below as per Microsoft's documentation:

Important
The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Entra ID account could potentially compromise confidential information.

Using this scenario, you will be able to assign a an Microsoft Entra ID user to auto logon to the kiosk mode device.

Note: Using this method requires manual changes to the registry and will expose the Microsoft Entra ID username and password in plain text in the device's registry.
You should only use this method when it's absolutely necessary and the account is setup with minimum privileges.

Contact Devicie to deploy a kiosk mode CIS profile so that your device is secure and is CIS compliant. Note that 15 CIS policies will appear as non-compliant on kiosk devices. This is required to allow the auto logon feature to work.

Steps

Microsoft provides a configuration profile template called "Kiosk" to allow Intune administrators to easily setup a configuration profile with a few clicks.

From your Intune portal, while logged in as an Intune administrator account navigate to the blade Devices > Configuration Profiles > Create > New Policy.
From the Create a profile popup, select
- Platform: Windows 10 and later
- Profile type: Templates
- Template name: Kiosk
Give the profile a name and a description (optional) then click Next.
Select:
- Select a kiosk mode: Single app, full-screen kiosk

- User logon type: Microsoft Entra user or group (Windows 10, version 1803 and later, or Windows 11)

- Click on Add and search for the username you want to use to auto logon and select it.
- Application Type: Add Microsoft Edge browser
Note: For a full list of supported browser features and policies, check this Microsoft article.
- Edge Kiosk URL: Type in the desired URL.
- Microsoft Edge kiosk mode type: Select your desired setup type
- Refresh browser after idle time: This will allow you to automatically refresh the browser every x minutes
- Setup your maintenance window for your kiosk mode device as required. This will restart the device, install updates, and remove any left over data from previous users' sessions.
Click on Next
Click on Save
Assign the profile to the desired group of devices then click Next
Add your applicability rules (if any) and click Next
Click Create

Your configuration profile setup is now complete.

Start enrolling a device to your tenant and sign in with an Intune licensed user to sync your security settings and profiles to the device. Upon restart, the device should auto logon with a kiosk user account.

Registry changes

Once the device finishes deploying follow the below:

Log into the device with a local administrator account
Open Start Menu and search for regedit
Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Add the below values:
- "DefaultUserName"="your AAD account in the format of user.name@tenant.com"
- "AutoAdminLogon"="1"
- "DefaultPassword"="the password"
Reboot the device.
Upon reboot, the Microsoft Entra ID account should automatically log into the device and he browser should auto launch with the desired website.